Summary

This trojan tries to connect your PC to a remote server to receive instructions from a malicious hacker. The hacker can then tell the trojan to perform any number of actions, including to download and run files. We have seen this trojan download variants of the rogue security scanner Rogue:Win32/Winwebsec.

Get more help

Threat behavior

Installation

This trojan might arrive as a file attached to an email sent by a hacker using a spoofed email address. We've seen this trojan being delivered as a .ZIP or .RAR archive with names similar to the following:

FedEx_Label_ID_Order_83-27-4534US.zip

IRSPROFILE.zip

Label_Parcel_IN34-789-54UK.rar

Label_US.6366NT.zip

Postetikett_Deutsche_Post_AG_DE482456.zip'

Print_Label_FedEx_AN173738US.zip

Ticket_AA_Air_ID186-178US.zip

Ticket_Delta_Air_Lines_US9760.zip

The archive contains an executable file having the same file name. If the trojan is run, it injects code into the running process "svchost.exe" which results in the malware creating a copy of the trojan as a randomly named file, as in the following example:

The malware makes changes to the registry so that the malware runs each time you start your PC.

Payload

Downloads other malware

TrojanDownloader:Win32/Kuluoz.B attempts to connect to multiple websites using a crafted URL that is similar to the following format:

<site>/index.php?r=gate&fq=acc0e9de&group=sl15&debug=0

The parameters passed by the trojan to the website vary among variants of the trojan. TrojanDownloader:Win32/Kuluoz.B requests sites that also include Bing.com, Twitter.com, Google.com and Fb.com to mix with malicious sites to hide its traffic requests.

When the trojan successfully connects to a malicious site, it receives data that instructs the trojan to download a file named "3.exe", detected as Rogue:Win32/Winwebsec, from the website "scbirs.ch".